Context Navigation

source: branches/samba-3.2.x/source/nsswitch/libwbclient/wbc_pam.c

Visit:

Last change on this file was 138, checked in by Paul Smedley, 17 years ago
Update source to 3.2.0 GA level
File size: 12.7 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Winbind client API
5
6	Copyright (C) Gerald (Jerry) Carter 2007
7
8	This library is free software; you can redistribute it and/or
9	modify it under the terms of the GNU Lesser General Public
10	License as published by the Free Software Foundation; either
11	version 3 of the License, or (at your option) any later version.
12
13	This library is distributed in the hope that it will be useful,
14	but WITHOUT ANY WARRANTY; without even the implied warranty of
15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16	Library General Public License for more details.
17
18	You should have received a copy of the GNU Lesser General Public License
19	along with this program. If not, see <http://www.gnu.org/licenses/>.
20	*/
21
22	/* Required Headers */
23
24	#include "libwbclient.h"
25
26	/** @brief Authenticate a username/password pair
27	*
28	* @param username Name of user to authenticate
29	* @param password Clear text password os user
30	*
31	* @return #wbcErr
32	**/
33
34	wbcErr wbcAuthenticateUser(const char *username,
35	const char *password)
36	{
37	wbcErr wbc_status = WBC_ERR_SUCCESS;
38	struct wbcAuthUserParams params;
39
40	ZERO_STRUCT(params);
41
42	params.account_name = username;
43	params.level = WBC_AUTH_USER_LEVEL_PLAIN;
44	params.password.plaintext = password;
45
46	wbc_status = wbcAuthenticateUserEx(&params, NULL, NULL);
47	BAIL_ON_WBC_ERROR(wbc_status);
48
49	done:
50	return wbc_status;
51	}
52
53	static wbcErr wbc_create_auth_info(TALLOC_CTX *mem_ctx,
54	const struct winbindd_response *resp,
55	struct wbcAuthUserInfo **_i)
56	{
57	wbcErr wbc_status = WBC_ERR_SUCCESS;
58	struct wbcAuthUserInfo *i;
59	struct wbcDomainSid domain_sid;
60	char *p;
61	uint32_t sn = 0;
62	uint32_t j;
63
64	i = talloc(mem_ctx, struct wbcAuthUserInfo);
65	BAIL_ON_PTR_ERROR(i, wbc_status);
66
67	i->user_flags = resp->data.auth.info3.user_flgs;
68
69	i->account_name = talloc_strdup(i, resp->data.auth.info3.user_name);
70	BAIL_ON_PTR_ERROR(i->account_name, wbc_status);
71	i->user_principal= NULL;
72	i->full_name = talloc_strdup(i, resp->data.auth.info3.full_name);
73	BAIL_ON_PTR_ERROR(i->full_name, wbc_status);
74	i->domain_name = talloc_strdup(i, resp->data.auth.info3.logon_dom);
75	BAIL_ON_PTR_ERROR(i->domain_name, wbc_status);
76	i->dns_domain_name= NULL;
77
78	i->acct_flags = resp->data.auth.info3.acct_flags;
79	memcpy(i->user_session_key,
80	resp->data.auth.user_session_key,
81	sizeof(i->user_session_key));
82	memcpy(i->lm_session_key,
83	resp->data.auth.first_8_lm_hash,
84	sizeof(i->lm_session_key));
85
86	i->logon_count = resp->data.auth.info3.logon_count;
87	i->bad_password_count = resp->data.auth.info3.bad_pw_count;
88
89	i->logon_time = resp->data.auth.info3.logon_time;
90	i->logoff_time = resp->data.auth.info3.logoff_time;
91	i->kickoff_time = resp->data.auth.info3.kickoff_time;
92	i->pass_last_set_time = resp->data.auth.info3.pass_last_set_time;
93	i->pass_can_change_time = resp->data.auth.info3.pass_can_change_time;
94	i->pass_must_change_time= resp->data.auth.info3.pass_must_change_time;
95
96	i->logon_server = talloc_strdup(i, resp->data.auth.info3.logon_srv);
97	BAIL_ON_PTR_ERROR(i->logon_server, wbc_status);
98	i->logon_script = talloc_strdup(i, resp->data.auth.info3.logon_script);
99	BAIL_ON_PTR_ERROR(i->logon_script, wbc_status);
100	i->profile_path = talloc_strdup(i, resp->data.auth.info3.profile_path);
101	BAIL_ON_PTR_ERROR(i->profile_path, wbc_status);
102	i->home_directory= talloc_strdup(i, resp->data.auth.info3.home_dir);
103	BAIL_ON_PTR_ERROR(i->home_directory, wbc_status);
104	i->home_drive = talloc_strdup(i, resp->data.auth.info3.dir_drive);
105	BAIL_ON_PTR_ERROR(i->home_drive, wbc_status);
106
107	i->num_sids = 2;
108	i->num_sids += resp->data.auth.info3.num_groups;
109	i->num_sids += resp->data.auth.info3.num_other_sids;
110
111	i->sids = talloc_array(i, struct wbcSidWithAttr, i->num_sids);
112	BAIL_ON_PTR_ERROR(i->sids, wbc_status);
113
114	wbc_status = wbcStringToSid(resp->data.auth.info3.dom_sid,
115	&domain_sid);
116	BAIL_ON_WBC_ERROR(wbc_status);
117
118	#define _SID_COMPOSE(s, d, r, a) { \
119	(s).sid = d; \
120	if ((s).sid.num_auths < WBC_MAXSUBAUTHS) { \
121	(s).sid.sub_auths[(s).sid.num_auths++] = r; \
122	} else { \
123	wbc_status = WBC_ERR_INVALID_SID; \
124	BAIL_ON_WBC_ERROR(wbc_status); \
125	} \
126	(s).attributes = a; \
127	} while (0)
128
129	sn = 0;
130	_SID_COMPOSE(i->sids[sn], domain_sid,
131	resp->data.auth.info3.user_rid,
132	0);
133	sn++;
134	_SID_COMPOSE(i->sids[sn], domain_sid,
135	resp->data.auth.info3.group_rid,
136	0);
137	sn++;
138
139	p = (char *)resp->extra_data.data;
140	if (!p) {
141	wbc_status = WBC_ERR_INVALID_RESPONSE;
142	BAIL_ON_WBC_ERROR(wbc_status);
143	}
144
145	for (j=0; j < resp->data.auth.info3.num_groups; j++) {
146	uint32_t rid;
147	uint32_t attrs;
148	int ret;
149	char *s = p;
150	char *e = strchr(p, '\n');
151	if (!e) {
152	wbc_status = WBC_ERR_INVALID_RESPONSE;
153	BAIL_ON_WBC_ERROR(wbc_status);
154	}
155	e[0] = '\0';
156	p = &e[1];
157
158	ret = sscanf(s, "0x%08X:0x%08X", &rid, &attrs);
159	if (ret != 2) {
160	wbc_status = WBC_ERR_INVALID_RESPONSE;
161	BAIL_ON_WBC_ERROR(wbc_status);
162	}
163
164	_SID_COMPOSE(i->sids[sn], domain_sid,
165	rid, attrs);
166	sn++;
167	}
168
169	for (j=0; j < resp->data.auth.info3.num_other_sids; j++) {
170	uint32_t attrs;
171	int ret;
172	char *s = p;
173	char *a;
174	char *e = strchr(p, '\n');
175	if (!e) {
176	wbc_status = WBC_ERR_INVALID_RESPONSE;
177	BAIL_ON_WBC_ERROR(wbc_status);
178	}
179	e[0] = '\0';
180	p = &e[1];
181
182	e = strchr(s, ':');
183	if (!e) {
184	wbc_status = WBC_ERR_INVALID_RESPONSE;
185	BAIL_ON_WBC_ERROR(wbc_status);
186	}
187	e[0] = '\0';
188	a = &e[1];
189
190	ret = sscanf(a, "0x%08X",
191	&attrs);
192	if (ret != 1) {
193	wbc_status = WBC_ERR_INVALID_RESPONSE;
194	BAIL_ON_WBC_ERROR(wbc_status);
195	}
196
197	wbc_status = wbcStringToSid(s, &i->sids[sn].sid);
198	BAIL_ON_WBC_ERROR(wbc_status);
199
200	i->sids[sn].attributes = attrs;
201	sn++;
202	}
203
204	i->num_sids = sn;
205
206	*_i = i;
207	i = NULL;
208	done:
209	talloc_free(i);
210	return wbc_status;
211	}
212
213	static wbcErr wbc_create_error_info(TALLOC_CTX *mem_ctx,
214	const struct winbindd_response *resp,
215	struct wbcAuthErrorInfo **_e)
216	{
217	wbcErr wbc_status = WBC_ERR_SUCCESS;
218	struct wbcAuthErrorInfo *e;
219
220	e = talloc(mem_ctx, struct wbcAuthErrorInfo);
221	BAIL_ON_PTR_ERROR(e, wbc_status);
222
223	e->nt_status = resp->data.auth.nt_status;
224	e->pam_error = resp->data.auth.pam_error;
225	e->nt_string = talloc_strdup(e, resp->data.auth.nt_status_string);
226	BAIL_ON_PTR_ERROR(e->nt_string, wbc_status);
227
228	e->display_string = talloc_strdup(e, resp->data.auth.error_string);
229	BAIL_ON_PTR_ERROR(e->display_string, wbc_status);
230
231	*_e = e;
232	e = NULL;
233
234	done:
235	talloc_free(e);
236	return wbc_status;
237	}
238
239	/** @brief Authenticate with more detailed information
240	*
241	* @param params Input parameters, WBC_AUTH_USER_LEVEL_HASH
242	* is not supported yet
243	* @param info Output details on WBC_ERR_SUCCESS
244	* @param error Output details on WBC_ERR_AUTH_ERROR
245	*
246	* @return #wbcErr
247	**/
248
249	wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
250	struct wbcAuthUserInfo **info,
251	struct wbcAuthErrorInfo **error)
252	{
253	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
254	int cmd = 0;
255	struct winbindd_request request;
256	struct winbindd_response response;
257
258	ZERO_STRUCT(request);
259	ZERO_STRUCT(response);
260
261	if (error) {
262	*error = NULL;
263	}
264
265	if (!params) {
266	wbc_status = WBC_ERR_INVALID_PARAM;
267	BAIL_ON_WBC_ERROR(wbc_status);
268	}
269
270	if (!params->account_name) {
271	wbc_status = WBC_ERR_INVALID_PARAM;
272	BAIL_ON_WBC_ERROR(wbc_status);
273	}
274
275	/* Initialize request */
276
277	switch (params->level) {
278	case WBC_AUTH_USER_LEVEL_PLAIN:
279	cmd = WINBINDD_PAM_AUTH;
280	request.flags = WBFLAG_PAM_INFO3_TEXT \|
281	WBFLAG_PAM_USER_SESSION_KEY \|
282	WBFLAG_PAM_LMKEY;
283
284	if (!params->password.plaintext) {
285	wbc_status = WBC_ERR_INVALID_PARAM;
286	BAIL_ON_WBC_ERROR(wbc_status);
287	}
288
289	if (params->domain_name && params->domain_name[0]) {
290	/* We need to get the winbind separator :-( */
291	struct winbindd_response sep_response;
292
293	ZERO_STRUCT(sep_response);
294
295	wbc_status = wbcRequestResponse(WINBINDD_INFO,
296	NULL, &sep_response);
297	BAIL_ON_WBC_ERROR(wbc_status);
298
299	snprintf(request.data.auth.user,
300	sizeof(request.data.auth.user)-1,
301	"%s%c%s",
302	params->domain_name,
303	sep_response.data.info.winbind_separator,
304	params->account_name);
305	} else {
306	strncpy(request.data.auth.user,
307	params->account_name,
308	sizeof(request.data.auth.user)-1);
309	}
310	strncpy(request.data.auth.pass,
311	params->password.plaintext,
312	sizeof(request.data.auth.user)-1);
313	break;
314
315	case WBC_AUTH_USER_LEVEL_HASH:
316	wbc_status = WBC_ERR_NOT_IMPLEMENTED;
317	BAIL_ON_WBC_ERROR(wbc_status);
318	break;
319
320	case WBC_AUTH_USER_LEVEL_RESPONSE:
321	cmd = WINBINDD_PAM_AUTH_CRAP;
322	request.flags = WBFLAG_PAM_INFO3_TEXT \|
323	WBFLAG_PAM_USER_SESSION_KEY \|
324	WBFLAG_PAM_LMKEY;
325
326	if (params->password.response.lm_length &&
327	!params->password.response.lm_data) {
328	wbc_status = WBC_ERR_INVALID_PARAM;
329	BAIL_ON_WBC_ERROR(wbc_status);
330	}
331	if (params->password.response.lm_length == 0 &&
332	params->password.response.lm_data) {
333	wbc_status = WBC_ERR_INVALID_PARAM;
334	BAIL_ON_WBC_ERROR(wbc_status);
335	}
336
337	if (params->password.response.nt_length &&
338	!params->password.response.nt_data) {
339	wbc_status = WBC_ERR_INVALID_PARAM;
340	BAIL_ON_WBC_ERROR(wbc_status);
341	}
342	if (params->password.response.nt_length == 0&&
343	params->password.response.nt_data) {
344	wbc_status = WBC_ERR_INVALID_PARAM;
345	BAIL_ON_WBC_ERROR(wbc_status);
346	}
347
348	strncpy(request.data.auth_crap.user,
349	params->account_name,
350	sizeof(request.data.auth_crap.user)-1);
351	if (params->domain_name) {
352	strncpy(request.data.auth_crap.domain,
353	params->domain_name,
354	sizeof(request.data.auth_crap.domain)-1);
355	}
356	if (params->workstation_name) {
357	strncpy(request.data.auth_crap.workstation,
358	params->workstation_name,
359	sizeof(request.data.auth_crap.workstation)-1);
360	}
361
362	request.data.auth_crap.logon_parameters =
363	params->parameter_control;
364
365	memcpy(request.data.auth_crap.chal,
366	params->password.response.challenge,
367	sizeof(request.data.auth_crap.chal));
368
369	request.data.auth_crap.lm_resp_len =
370	MIN(params->password.response.lm_length,
371	sizeof(request.data.auth_crap.lm_resp));
372	request.data.auth_crap.nt_resp_len =
373	MIN(params->password.response.nt_length,
374	sizeof(request.data.auth_crap.nt_resp));
375	if (params->password.response.lm_data) {
376	memcpy(request.data.auth_crap.lm_resp,
377	params->password.response.lm_data,
378	request.data.auth_crap.lm_resp_len);
379	}
380	if (params->password.response.nt_data) {
381	memcpy(request.data.auth_crap.nt_resp,
382	params->password.response.nt_data,
383	request.data.auth_crap.nt_resp_len);
384	}
385	break;
386	default:
387	break;
388	}
389
390	if (cmd == 0) {
391	wbc_status = WBC_ERR_INVALID_PARAM;
392	BAIL_ON_WBC_ERROR(wbc_status);
393	}
394
395	wbc_status = wbcRequestResponse(cmd,
396	&request,
397	&response);
398	if (response.data.auth.nt_status != 0) {
399	if (error) {
400	wbc_status = wbc_create_error_info(NULL,
401	&response,
402	error);
403	BAIL_ON_WBC_ERROR(wbc_status);
404	}
405
406	wbc_status = WBC_ERR_AUTH_ERROR;
407	BAIL_ON_WBC_ERROR(wbc_status);
408	}
409	BAIL_ON_WBC_ERROR(wbc_status);
410
411	if (info) {
412	wbc_status = wbc_create_auth_info(NULL,
413	&response,
414	info);
415	BAIL_ON_WBC_ERROR(wbc_status);
416	}
417
418	done:
419	if (response.extra_data.data)
420	free(response.extra_data.data);
421
422	return wbc_status;
423	}
424
425	/** @brief Trigger a verification of the trust credentials of a specific domain
426	*
427	* @param *domain The name of the domain, only NULL for the default domain is
428	* supported yet. Other values than NULL will result in
429	* WBC_ERR_NOT_IMPLEMENTED.
430	* @param error Output details on WBC_ERR_AUTH_ERROR
431	*
432	* @return #wbcErr
433	*
434	**/
435	wbcErr wbcCheckTrustCredentials(const char *domain,
436	struct wbcAuthErrorInfo **error)
437	{
438	struct winbindd_request request;
439	struct winbindd_response response;
440	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
441
442	if (domain) {
443	/*
444	* the current protocol doesn't support
445	* specifying a domain
446	*/
447	wbc_status = WBC_ERR_NOT_IMPLEMENTED;
448	BAIL_ON_WBC_ERROR(wbc_status);
449	}
450
451	ZERO_STRUCT(request);
452	ZERO_STRUCT(response);
453
454	/* Send request */
455
456	wbc_status = wbcRequestResponse(WINBINDD_CHECK_MACHACC,
457	&request,
458	&response);
459	if (response.data.auth.nt_status != 0) {
460	if (error) {
461	wbc_status = wbc_create_error_info(NULL,
462	&response,
463	error);
464	BAIL_ON_WBC_ERROR(wbc_status);
465	}
466
467	wbc_status = WBC_ERR_AUTH_ERROR;
468	BAIL_ON_WBC_ERROR(wbc_status);
469	}
470	BAIL_ON_WBC_ERROR(wbc_status);
471
472	done:
473	return wbc_status;
474	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: